exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Twiki Perl Code Execution

Twiki Perl Code Execution
Posted Oct 10, 2014
Authored by Peter Thoeny

The debugenableplugins request parameter in Twiki versions 4.x, 5.x, and 6.0.0 allows arbitrary Perl code execution.

tags | exploit, arbitrary, perl, code execution
advisories | CVE-2014-7236
SHA-256 | 7e6bafc3f4e27a15de8ac1ae847247abec86cca045f3b86848aeae7d24f79d02

Twiki Perl Code Execution

Change Mirror Download
This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Release 6.0.0
* Hotfix for Older Affected TWiki Releases
* Verify Hotfix
* Authors and Credits
* Action Plan with Timeline
* External Links
* Feedback

---++ Vulnerable Software Version

* TWiki-6.0.0 (TWikiRelease06x00x00)
* TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

---++ Impact

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:

* Severity 1 issue: The web server can be compromised

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability.

---++ Details

It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example:

http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The TWiki site is vulnerable if you see a page with text "Vulnerable!".

__Background:__

TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name:
<verbatim>
my $p = $this->{module};
eval "use $p;";
</verbatim>

---++ Countermeasures

* Apply hotfix (see patch below).
* Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]

---++ Hotfix for TWiki Production Release 6.0.0

Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.

NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.

Affected file: twiki/lib/TWiki/Plugins.pm

Patch to sanitize the 'debugenableplugins' parameter:

=======( 8>< CUT )===============================================
--- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@

unless( $allDisabled ) {
if ( $query && defined( $query->param( 'debugenableplugins' ))) {
- @pluginList = split( /[,\s]+/,
- $query->param( 'debugenableplugins' ));
+ @pluginList =
+ grep { /Plugin$/ }
+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+ split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
} else {
if( $TWiki::cfg{PluginsOrder} ) {
foreach my $plugin( split( /[,\s]+/,
=======( 8>< CUT )===============================================

---++ Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The site is vulnerable if a page is returned with text "Vulnerable!"

---++ Authors and Credits

* Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the twiki-security@lists.sourceforge.netmailing list
* PeterThoeny for creating the fix, patch and advisory
* HideyoImazu for creating the TWiki-6.0.1 production release [2]

---++ Action Plan with Timeline

* 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
* 2014-10-01 - developer verifies issue - PeterThoeny
* 2014-10-01 - developer fixes code - PeterThoeny
* 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu
* 2014-10-06 - security team creates advisory with hotfix - PeterThoeny
* 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny
* 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny
* 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558

---++ Feedback

Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).

Please send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday.

-- Peter Thoeny - 2014-10-09


--
> Peter Thoeny - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is: (_) private (_) ask first (x) public
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close